The software update management process lets organizations
control how they maintain and deploy software releases to their production
environments. Software update management improves operational efficiency and
effectiveness, helps overcome security vulnerabilities, and helps maintain the
stability of the production environment. For general information about
Microsoft software update strategies, visit the following Microsoft Web site:
When you plan a software update management strategy for computers
that are running Microsoft Internet Security and Acceleration Server (ISA
Server), consider the following recommendations:
| • | Make sure that computers that are running ISA Server have
the latest Windows updates. |
| • | Install critical updates and security updates for ISA
Server as they become available. Additionally, install updates for components
that are installed by ISA Server, such as Microsoft Data Engine (MSDE), as they
become available. |
| • | You can install any hotfixes that are available from
Microsoft Product Support Services to address specific issues that you
experience. However, because this kind of hotfix is typically included in the
next ISA Server service pack, we recommend that you wait for the service pack
that contains the hotfix unless the issue affects you severely. |
| • | ISA Server updates and service packs are cumulative. A service pack for a specific version of ISA Server contains all previously released updates and fixes for that version. A service pack or cumulative update can be installed on computers that are running the release to manufacturing (RTM) version of ISA Server or on computers that are running ISA Server together with any hotfixes or updates that have been issued since RTM. |
Back to the top
Prerequisites
You should install hotfixes and updates only on computers that are
running the version of ISA Server that is specified by the hotfix or by the
update. For example, you should install hotfixes and updates for ISA Server
2004, Standard Edition only on computers that are running ISA Server 2004,
Standard Edition. You can install ISA Server 2006 hotfixes only on computers
that are running ISA Server 2006.
Back to the top
Downloading and installing hotfixes
Download and install the hotfix as instructed by Microsoft
Product Support Services, as described in the Microsoft Knowledge Base article
for the hotfix, or as described on the Microsoft Download
Center.
While you install the hotfix, the driver and services might
stop on the computer that is running ISA Server. Sometimes, you may have to
physically disconnect the ISA Server computer from untrusted networks, such as
external networks, before you install the hotfix. You can learn whether this
disconnection is required by reading the Microsoft Knowledge Base article that
accompanies the hotfix or the download site's instructions.
Note If ISA
Server services are installed, ISA Server enters lockdown mode during
installation. After installation, the ISA Server computers or array members
must be restarted.
Back to the top
Administrative installation
By using administrative installation, you can integrate an update
into the ISA Server administrative installation point before you run ISA Server
Setup. For more information about administrative installation, visit the
following Microsoft Web site:
Back to the top
How to install updates for Enterprise editions of ISA Server
| • | ISA Server updates and service packs should be installed on all array members and Configuration Storage servers.
|
| • | Before you install the updates, log on to the Configuration
Storage server by using administrative credentials. Use the same credentials
that you used to install the Configuration Storage server in ISA Server Setup.
If you install the update by using a different administrator account, the
installation fails. In this case, you will receive a "Setup cannot initialize
ISA Server settings" error message. |
| • | ISA Server services may not start after you install or
remove ISA Server updates. This problem may occur if the computer that is
running the services is not synchronized with the Configuration Storage server.
In this case, use the Monitoring node of the ISA Server Management console to
manually restart the services. |
| • | In an ISA Server Enterprise deployment in which ISA Server array members are installed in workgroup mode and the Configuration Storage server is part of a domain, ISA Server updates that are installed by using the Microsoft Update mechanism will fail. This problem occurs because there are no credentials available to access the Configuration Storage server. Rollback is successful after the update fails. The following workarounds are available for this issue:
| • | For ISA Server 2004 Enterprise Edition, obtain the relevant update from the following Microsoft Download Center Web site:Then, install the update at a command prompt, and specify credentials. | | • | For ISA Server 2006 Enterprise Edition, the following conditions are true:| • | ISA Server 2006 Enterprise Edition updates that were released before the ISA Server 2006 Supportability update (http://go.microsoft.com/fwlink/?LinkID=94689 (http://go.microsoft.com/fwlink/?LinkID=94689)) that was issued on September 11, 2007 cannot be installed by using an alternative method. There is no workaround.
| | • | For ISA Server 2006 Enterprise Edition updates that were issued after the ISA Server 2006 Supportability Update, including the supportability update, obtain the relevant update from the Microsoft Download Center. When you run the update, a dialog box appears during Setup to let you to specify credentials to be used. Or, you can install the update at the command prompt.
|
|
To install an update at the command prompt and to specify credentials, type the following at a command prompt:
msiexec /p <msp> REINSTALL=all REINSTALLMODE=omus STORAGESERVER_CONNECT_ACCOUNT=mydomain\mydomainpermitteduser STORAGESERVER_CONNECT_PWD=mypwd /qb /l*v msilogfilename.log
Note If you use this method to install the update, the update cannot be removed. To uninstall this update, you must use the following workaround:
| 1. | Export the array configuration. | | 2. | Uninstall ISA Server. | | 3. | Reinstall ISA Server. | | 4. | Import the array configuration.
|
|
Back to the top
Staged updates
In large enterprises, you may be unable to install updates concurrently on all ISA Server computers. In this case, we recommend that you install updates in the following order:
| 1. | On each computer that is running the ISA Server Management console (for remote management).
|
| 2. | On each Configuration Storage server. |
| 3. | As required, run the upgrade separately on each server in an array and repeat for all arrays. To maintain availability, do the following on each ISA Server computer:
| a. | If the server is load-balanced by using NLB or any other load-balancing mechanism, remove the server from the load-balancing configuration. | | b. | Drain existing connections that are served by the server. | | c. | Set nlb to "suspended" to prevent auto-rejoin when you restart. | | d. | Install the update.
| | e. | Perform additional steps as required by the update package. | | f. | Restart the server if it is required. | | g. | Start NLB on the updated server. |
|
Important
After you install an update on the remote management console or on Configuration Storage server, the following states apply:
| • | The update does not affect remotely managed ISA Server computers or array members that do not yet have the update installed. |
| • |
Features that are provided by the update may be only partially functional, as follows:| • |
Features that do not require a change on the ISA Server computer will work as expected. For example, policy changes that are made on the remote management computer will affect all members of the array.
| | • | Features that require a change on the ISA Server computer will not be functional. For example, ISA Server 2006 SP1 provides a test button feature to verify Web publishing settings. This feature will not be available on array members that are not running SP1.
|
|
If an update is not installed on all array members, only servers that are running the update can provide the update features. As client requests are balanced between array members, clients cannot benefit from changed behavior if a request is served by an array member that does not have the update installed.
Back to the top
Other issues
When you run a monitoring application, such as the Microsoft
Operations Manager (MOM) Management Pack for ISA Server, you use ISA Server
files. Using these files may interfere with ISA Server Setup. To avoid this
problem, stop the monitoring application before you do any of the following:
| • | Repair, modify, install, or update ISA Server |
| • | Install or uninstall a service pack |
| • | Upgrade ISA Server |
Back to the top
Troubleshooting installation
By default, a log is not created when you install a hotfix. You
can specify that a log is to be created during the installation. You can then
use this log together with Microsoft Product Support Services to troubleshoot
installation problems. Logging is only useful if installation fails. If you
install again after a successful installation, no useful information is logged.
To specify that a log is to be created during the installation of a hotfix,
type the following at a command prompt:
Msiexec /p Hotfix_Name.msp REINSTALL=ALL REINSTALLMODE=omus /l*vx! Logfile_Name.log
This statement is interpreted as follows:
| • | /p applies an update. |
| • | Hotfix_Name.msp is the name of the hotfix file and the location where you
downloaded the file. |
| • | REINSTALL=ALL reinstalls features that are already installed. Use this command
together with REINSTALLMODE to indicate the type of reinstallation. REINSTALL uses all uppercase letters. |
| • | REINSTALLMODE=omus is used with REINSTALL to specify the kind of reinstallation. REINSTALLMODE uses all uppercase letters. The omus option indicates the following:
| • | o reinstalls a file if it is missing or if it is an older
version. | | • | m rewrites registry entries in the HKEY_LOCAL_MACHINE registry hive
or in the HKEY_CLASSES_ROOT registry hive. | | • | u rewrites registry entries in the HKEY_CURRENT_USER registry hive
or in the HKEY_USERS registry hive. | | • | s reinstalls all shortcuts and re-caches all icons. |
|
| • | /l turns on logging. |
| • | *vx indicates a wildcard character that logs all information by using
verbose output. |
| • | Logfile_Name.log is the name of the log file. |
By default, the log file is created in the same folder where you
run the
msiexec command.
You can also examine the event viewer for
relevant information. After the installation is complete, an event indicates
whether the hotfix installation was successful.
Back to the top
Verifying installed hotfixes and updates
You can use the Add or Remove Programs item in Control Panel to
find ISA Server hotfixes and updates that you have installed. Hotfixes are
labeled with the name of the product. The name of the hotfix also includes the
Microsoft Knowledge Base article number that is associated with the hotfix.
Back to the top
Uninstalling hotfixes
During
the uninstallation process, installation source files may be required, such as the CD-ROM or
the network location of the ISA Server Standard Edition installation files. If
the files are inaccessible, the Microsoft Firewall service may not start.
If this happens, uninstall the service pack again to make sure that you can access the installation
source files, rerun the installation, or run ISA Server Setup in the Repair
mode.
If you cancel the uninstallation of a service pack when you are not
connected to the installation source files, ISA Server services may not start. If this happens, let the uninstallation process finish. To do this, run the service pack installation again, run Repair, or
uninstall the service pack again.
You can use the Add or Remove
Programs item in Control Panel to uninstall hotfixes and updates. To uninstall
an ISA Server 2004 hotfix or update, you must first install Windows Installer
3.0. For more information about Windows Installer 3.0, visit the following
Microsoft Web site:
Back to the top
Installing hotfixes and updates on Firewall Client computers
Follow the instructions for installing ISA Server 2004 hotfixes
and ISA Server 2006 hotfixes to install Firewall Client hotfixes and updates on
client computers that are running Firewall Client software. ISA Server 2004
includes the option to install a Firewall Client Share during Setup. Each fix
that affects Firewall Client software includes a hotfix or update that you can
apply directly to client computers. Each fix also includes a second hotfix that
you can apply to the ISA Server 2004 Firewall Client Share. Hotfixes that are
applied to the Firewall Client Share can then be distributed to client
computers. To update a Firewall Client Share with a hotfix or update, use one
of the following methods:
| • | Run the Update.bat script in the Firewall Client Share.
Typically, the path of this script is
\\ISA\Mspclnt\Webinst\Update.bat. |
| • | Run the msiexec command in the Firewall Client Share. To do this, type the
following command at a command prompt: msiexec /feumsv \\ISA\Mspclnt\MS_FWC.msi |
Back to the top
Help and Support
